Using SSO how to log new FoxyCart customer into our site after successful purchase?

versatilversatil Member
in Help edited May 2014
Having read through the docs and tested some stuff out it seems it is recommended to use FoxyCart for the full checkout/registration flow. That's fine by me.

From what I understand the process is something like this:

1. Guest visits our Site
2. Guest goes to subscribe to our services
3. Clicks a subscription plan, using cart=checkout&empty=true we redirect the Guest to the FoxyCart Checkout page
4. Guest punches in valid email/password/confirm password combo, billing info, cc/paypal, hits continue
5. On successful transaction FoxyCart sends instant datafeed to our Endpoint
6. We process it, create a new User on our end linked to the FoxyCart Customer
7. Guest is now a FoxyCart Customer and arrives at FoxyCart Receipt page

...

Now how do we go from FoxyCart Customer to logged-in User (created in step 6)?

I have a number of ideas of how this could possibly be implemented but I am not sure what is the best way to go about this.

Are there any best practices, recommendations at this point?

Some of the ideas I had are like:

Do we use jsonp somehow to log them in in advance of clicking continue?

Or do we use the continue link itself to do the login when they get back to our site?

How do we do this automatically determining who exactly this person is? Is the receipt id good (secure) enough, but in conjunction with what? How do we identify this person as a Customer->User?
Tagged:
Comments
  • fc_adamfc_adam FoxyCart Team
    @versatil,
    Having read through the docs and tested some stuff out it seems it is recommended to use FoxyCart for the full checkout/registration flow. That's fine by me.

    Actually that's not necessarily the recommendation. If you're requiring customers to sign up and using SSO to sync customers between the two, you could actually require customers be signed up on your site before they can hit the checkout.

    In terms of allowing the registration on the FoxyCart checkout and then also automatically logging in the person on your own site - currently there isn't a super-easy way to achieve it. We have a ticket on our side to look into that to have effectively a post-checkout SSO set up that would allow you to achieve it, but right now you would need to basically fake that kind of functionality.

    Take a look at fred's post on this thread for an overview of how that could work: https://forum.foxycart.com/discussion/8085/sso-can-we-implement-reverse-login-flow/p1
  • I would prefer to make the checkout as simple as possible, I would prefer they can create a user/password in the same page as their purchase. Less steps the better.

    Faking the kind of functionality I'm looking for is fine, provided it's secure.

    My idea instead of redirecting to a continue link or whatever is load a JavaScript file which is actually loaded up via php. This way if everything checks out they could be logged into our system in the background before they click continue.

    According to that other thread with Twig we could insert the customer_id which is great, perfect really, but two things:
    -After a transaction - Do I receive a datafeed before the receipt page is loaded? Is this in sequence all the time?
    -how can we verify on our end this person really is the customer they say they are (e.g. with a '?customer_id=##')? I was thinking also sending the receipt id and checking their IP so it matches what's in the receipt at the time but that doesn't seem very reliable. I'm not really seeing anything in the api that I could do a compare/contrast with.

  • fc_adamfc_adam FoxyCart Team
    @versatil,

    The key thing is that you'd need to create the logged in cookie for your own site - not on our site - so you wouldn't really be able to do that from the receipt page directly - hence why we recommend the quick redirect to your site.

    -After a transaction - Do I receive a datafeed before the receipt page is loaded? Is this in sequence all the time?

    The answer here is - you should. That said though, if there is delays in reaching your endpoint for some reason, or if the datafeed endpoint fails, then there could be a chance that it doesn't reach your server before the middleman page would be loaded. To counteract that, you could instead just utilise the API and ping our server for the specific transaction based on the transaction ID. You could also do that conditionally if the datafeed hasn't arrived yet.

    -how can we verify on our end this person really is the customer they say they are (e.g. with a '?customer_id=##')?

    Great question. Firstly, I'd recommend that the middleman script be loaded over a HTTPS certificate. Next, you could only allow this auto-login to occur if it happens within a certain timeframe of the transaction taking place. For example, only if the transaction happened within the last 2 minutes. You could also only perform the redirect to your middleman script on the first time the receipt is displayed as well. That way, if someone else stumbles upon the receipt URL and load it up, they won't be automatically logged in. Finally, you could also confirm that the users IP address matches the one logged against the transaction to ensure they are who they say they are.
  • @fc_adam
    The key thing is that you'd need to create the logged in cookie for your own site - not on our site - so you wouldn't really be able to do that from the receipt page directly

    I figured this was possible via javascript/jsonp (script tags & src).

    As for everything else you said that was all brilliant. Thanks. And yes, definitely everything must be over https and only https!
  • fc_adamfc_adam FoxyCart Team
    @versatil,

    When it comes to cookies - there are a whole stack of restrictions that prevent you from creating cookies for another domain than the one you're actually on. Your best bet would be to redirect the customer to your own site and back to the receipt (hopefully quick enough that it's transparent to them) to ensure its all done correctly.
Sign In or Register to comment.